How hard is it to break into the email accounts used by staff and students at US universities?

Based on the unsettling details of a case made public by the US Department of Justice (DOJ), in some cases not as hard as it should be.

According to an FBI indictment announcing his arrest last week, 29-year old Jonathan Powell allegedly hacked more than 1,000 email accounts at two US universities by doing nothing more sophisticated than exploiting weaknesses in how passwords are reset.

Powell targeted 75 US institutions all told, but his campaigns against Pace University in New York and an unnamed university in Pennsylvania were almost industrial in scale.

Between October 2015 and September this year, logs showed that he’d tried to change the passwords for 2,054 different email accounts at Pace University a total of 18,600 times.

Some of the time he failed but he did eventually break into 1,035 accounts, a few of which were reset more than once.

He found the going tougher at the Pennsylvania institution but still compromised 15 accounts from 220 targeted.

Once in control of the accounts, Powell is alleged to have launched password reset attacks on other services used by the accounts holders, including Apple iCloud, Facebook, Google, LinkedIn, and Yahoo!

According to Manhattan Attorney Preet Bharara:

This case should serve as a wake-up call for universities and educational institutions around the country. Powell used password reset tools to basically pick the lock of thousands of personal spaces and look around at what was stored there.

Audacious attacks by lone hackers usually boil down to two issues: how did they do it (and could someone else replicate the same attack) and why did they do it?

The why bit is difficult to answer in advance of any trial, but the DOJ said he’d trawled a compromised Gmail account for digital pictures and the words “password”, “naked”, “cum” and “horny”, which points to personal rather than professional interests.

The indictment doesn’t explain the how but but the most likely reason is a failure to enforce strong passwords.

If the password is short or too obvious, all an attacker has to do is initiate a password reset using some guessing strategy and a user ID. That might explain why in the case of the Pace University attack Powell took more than 18,000 tries against 2,000 or so accounts and ended up compromising around 1,000.

That’s a 50 percent success rate over a 12-month period which also implies that there was no guess limit.

While it’s true that email users shouldn’t set weak passwords, the best way to avoid this is by making length and complexity a requirement during enrollment.

Email administrators at universities across the world will doubtless be scrambling to double-check their own reset procedures and left pondering whether the time has come to start using two-step verification security.

Powell has been charged with one count of fraud which carries a maximum sentence of five years in prison.

6 comments on “Hacker used password resets to break into 1,050 university email accounts”

I don’t understand how weak passwords can help on a password reset attack. If you need a password reset, you don’t know the password, so its complexity is irrelevant. This is probably a case of bad security questions. Could you please re-research if this is the case and update the article?

I’ve yet to hear of a password reset method that requires you to know your previous one (the loss of which is usually why you’re resetting it).
I think you’re confusing “password reset” with “password change”.

Best I can come up with (which is purely headcanon right now) is that the mention of previous passwords was meant to be related to the attacker supposedly guessing a previous one for a different but related account, which aided in the initial set-up (or inspiration) of the attacks.

I think the onus here is definitely on the universities to ensure their password reset procedure has more “identity confirmation” steps in it OR has a more robust question/answer set that students need to set up.

John E Dunn, if you have the password to reset it, you already have gained access. Most password resets are either sent the account’s email address with a link to reset, not requiring to know the current password, or a set of security questions are asked to verify the person requesting a reset is actually the account holder.
The only time I am aware of that a system would ask for your current password is if you are already logged in with that password, requesting for a password reset.